An evil Trojan

Status
Not open for further replies.

Harrison

Member
Joined
Dec 1, 2007
Posts
10,153
Country
UK
Region
West Sussex
I encountered an evil Trojan today.

I got that PC with the faulty PSU up and running properly today and booted into Windows. I then discovered the OS was riddled with virus and spyware. Boxes were popping up all over the place when the desktop appeared and there were trials of different virus checkers, spyware scanners etc installed and all trying to work together in the system tray. A complete mess.

Anyway, I uninstalled all the trial copies of the security software the PC's owner had obviously been trying to use to combat his infected system including McAfee (proves that is as crap as people say) and I was left with one virus scanning program called Personal AntiVirus which I could not find any mention of in add/remove programs or the start menu. I did find the program in the Program Files directory but it refused to be deleted.

I did some Googling and discovered it isn't a real Virus Scanner at all, but actually a rogue anti-spyware program! A trojan called Zlob injects itself into explorer.exe and then opens a backdoor to install this Personal AntiVirus program onto the system and after reboot it launches in the taskbar and pops a window up warning that many infections have been found, and it automatically starts to scan the whole system for further infection. What it is really doing is scanning your system to look for files it can infect! It is very well done as it does mimmick a real virus scanner including all the options, scanning routines and system tray icon with popup infection alerts.

It is fairly easy to remove though (just google Personal Anitvirus and some guides are found), but it is mentioned on a few sites that some systems will be harder to disinfect than others, with registry keys, files hidden throughout the Docs and Settings and Windows folders. Luckily it hasn't spread that far with this one.

So finally I got that off the system and installed Comodo Security Suite, updated XP to SP3 and updated all the hardwaree drivers. So that PC should be OK for a little longer. :)
 

r0jaws

Mondeo Man
Joined
Jan 23, 2008
Posts
7,237
Country
UK
Region
Lincolnshire
Re: An evil Trojan

Funnily enough, a visit to my father's had me removing a very similar Trojan at the beginning of this week.
It was sophisticated enough to block all attempts to download SpybotSD from it's website, and redirect you to a malicious 'Spyware removal' website.
Even when I managed to download Spybot from a 3rd party, it would block the software's attempts to update via it's servers, so I had to download the update file on another system and transfer it across.
Once the update was installed, Spybot could perform it's scan and immediately found the collection of nasties responsible and removed them.
It was a bit unusual for me as this appeared to be the first trojan, that I have personally come across, that has infected a system that primarily uses Firefox. An installation of the rather useful 'Noscript' should help keep some of these nasties at bay for a little longer.
 

Harrison

Member
Joined
Dec 1, 2007
Posts
10,153
Country
UK
Region
West Sussex
Re: An evil Trojan

NoScript is definitely a very good Firefox plugin to improve internet security.

There are now so many ways that code can be delivered to inject a trojan into a system. Flash, Silverlight, Javascript, Java... all client side browser languages that require the use to download them before they run, making them high risk.

You wouldn't download an exe to your system and run it without first knowing what you were downloading and launching! And even then you would make sure your virus checker and spyware filters had passed the exe file through their scanners to give it the thumbs you. And yet we do a very similar thing every day by browsing webpages that contains clientside languages, allowing them to run scripts/applications in our browsers without authorising and checking them first. Surely this is the biggest security risk at the moment.

NoScript is brilliant at solving this issue. Blocking all script based content on a page until we explicitly authorise the page to allow it. And it only requires clicking on the blocked content to allow it access to run. It also speeds up page loading as you don't need to wait for everything to load and play unless you really want it too. And that includes PDFs!

However I have encountered some issues with NoScript. Sometimes it is too good at its own job and can break a site or page. And I've encountered it messing up pure xhtml/css layouts that contain no clientside scripting languages, and yet it still alters it. Disabling NoScript by allowing scripts globally is the only way around these situations. I've not found a way to code to prevent it from happening. But that is quite rare and it is still worth having NoScript active (alongside Adblock Plus!).
 
Status
Not open for further replies.
Top Bottom